如何使用security / sssd将Active Directory与FreeBSD 10.0集成?

Modified on: Sun, 25 Aug 2019 10:40:02 +0800

使用带有Kerberos TGT的AD后端的sssd,在FreeBSD 10.0中的Windows Server 2012 R2上运行的Active Directory中对用户进行身份验证的必要步骤是什么?

最佳答案

要使一切都能开箱即用,有一些棘手的考虑因素。 FreeBSD目前只支持sssd 1.9.6版。因此,不支持企业主要名称。

如果您的域名具有不匹配的UPN,则无法登录,因为在此过程中Kerberos身份验证将失败,即使FreeBSD支持使用Kerberos的企业主体名称,sssd也无法处理此问题情况下。

因此,在sssd的实际版本中,您只能在同一域名中使用用户主体名称,例如:

Domain Name = example.com
NetBIOS Name = EXAMPLE
User Principal Name:
username@example.com sAMAccountName: username

了解这一点,我们可以描述在FreeBSD中成功验证AD用户的步骤。

1。配置Kerberos

使用以下内容创建文件/etc/krb5.conf

[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes

2。安装Samba 4.1并将其配置为加入域

安装Samba 4.1:

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes

使用以下内容创建文件/usr/local/etc/smb4.conf

[global] security = ads realm = EXAMPLE.COM workgroup = EXAMPLE kerberos method = secrets and keytab client signing = yes client use spnego = yes log file = /var/log/samba/%m.log

要求管理员Kerberos票证:

$ pkg install samba41

然后加入域并创建密钥表

[global]
    security = ads
    realm = EXAMPLE.COM
    workgroup = EXAMPLE

    kerberos method = secrets and keytab

    client signing = yes
    client use spnego = yes
    log file = /var/log/samba/%m.log

3。安装带有Kerberos支持的sssd软件包和Cyrus SASL

安装所需的包:

$ kinit Administrator

编辑文件/usr/local/etc/sssd/sssd.conf以匹配此设置:

[sssd] config_file_version = 2 services = nss, pam domains = example.com [nss] [pam] [domain/example.com] # Uncomment if you need offline logins #cache_credentials = true id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad # Comment out if the users have the shell and home dir set on the AD side default_shell = /bin/tcsh fallback_homedir = /home/%u # Uncomment and adjust if the default principal SHORTNAME$@REALM is not available #ldap_sasl_mech = GSSAPI #ldap_sasl_authid = SERVER-HOSTNAME$@EXAMPLE.COM

4。添加sssd支持到nsswitch.conf

编辑文件/etc/nsswitch.conf以匹配此设置:

$ net ads join createupn=host/server-hostname.example.com@EXAMPLE.COM -k
$ net ads keytab create -k

5。配置PAM以允许sssd身份验证并处理主目录创建

安装主目录创建的可选包:

$ pkg install sssd cyrus-sasl-gssapi

修改必要的PAM域以匹配此设置:

[sssd]
    config_file_version = 2
    services = nss, pam
    domains = example.com

[nss]

[pam]

[domain/example.com]
    # Uncomment if you need offline logins
    #cache_credentials = true

    id_provider = ad
    auth_provider = ad
    access_provider = ad
    chpass_provider = ad

    # Comment out if the users have the shell and home dir set on the AD side
    default_shell = /bin/tcsh
    fallback_homedir = /home/%u

    # Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
    #ldap_sasl_mech = GSSAPI
    #ldap_sasl_authid = SERVER-HOSTNAME$@EXAMPLE.COM

6。切换到启用SASL的OpenLDAP客户端

group: files sss
passwd: files sss

7。最后确认一切正常

$ pkg install pam_mkhomedir

相关问答

添加新评论